Edit: I wonder if the bad guys were able to access private Direct Messages, too. There's always talk about resetting passwords, but nobody ever mentions all the other confidential data that might be pastebin'ed later.
This attack was not the work of amateurs, and we
do not believe it was an isolated incident. The
attackers were extremely sophisticated, and we
believe other companies and organizations have
also been recently similarly attacked.
Anyone have any clue what the possible motives behind this could be? My best guess is someone is trying to mine for private data that may have been sent over DM (Maybe Obama is sending nuke launch codes over DM). Other than that twitter's data is mostly public and I don't see the benefit of carrying out such an attack to simply impersonate Justin Bieber on Twitter. I also don't suspect Twitter to be the type of company that would leave their passwords easily crackable either. Doesn't make sense that were mining for valid emails either, there are cheaper ways of getting access to those.
There are moderate numbers of people who use Twitter for online activism. That would point more to Syria or Iran or another Middle Eastern country, since Twitter is more popular there than in China or the Chinese language.
Nobody hacks Twitter just to get valid emails or impersonate someone. That's ridiculous.
Pretty clearly this was the work of governments e.g. China, Iran who are trying to find out more about political dissidents or the sources of leaks. They are the only ones who would use lucrative exploits against Twitter, NYT, WSJ etc.
So to make this clear, the best guess is these attacks are being done by governments in an effort to find out who is leaking data to Twitter, NYT, etc?
Pretty interesting if you ask me, is it likely the use would sick the best hackers at the NSA if top secret information was being leaked on the bizzaro world's Chinese Twitter? It almost sounds like the prologue to the worlds first CyberWar.
To reiterate what I've been posting elsewhere, I'm sure there is a lot of compromising material in the Direct Messages of certain well-picked accounts, for a wide range of motives.
There is nothing clear about this attack at all, thus it's grossly unfair to cast aspersions on any country or select group of individuals unless there is hard evidence.
At first i thought the email was phishing but sure enough my acct was reset even with 17 chars. i wonder if Twitter can cull any correlations from this compromised pool, epidemiological-like
Hmm. Perhaps that explains why I got an email from them saying my account was compromised. Specifically, it said "Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account." It then went on to imply that I was phished, which is extremely unlikely (not only am I incredibly paranoid about that kind of thing, but I haven't actually entered my Twitter password on any website in a long time. I just use the mobile app on my phone.)
Me too, and I've never attached an app to twitter. (I've got an account that I basically have signed into 3 or 4 times in 5 years). I'm curious why my username came up as being compromised, unless they're doing something sneaky about updating all passwords older than x yrs old.
edit: The attacker got salted password hashes. That explains it.
Yup, just got the same email. I really wish they had linked to the blog post and explained the situation in more details instead of using the standard email template. It's interesting though that one of the recommendations was to revoke access to third-party apps.
I got a similar message several months back, but that wasn't part of a larger leak; apparently some website I'd used a while ago had been compromised and I was using my throwaway password on Twitter at the time. Suffice to say, it's using a real one now - fifty-some-odd characters of random garbage generated and stored by 1Password. It's never been used anywhere else, so getting this email a second time just now was quite a shock (this time, my reaction was "really guys, again?" rather than "wtf?")
To their credit, they caught the first instance crazy-fast (my password had been reset automatically within about five mintes of a rogue tweet, though not before a friend texted me about it). This time I didn't see any activity at all, so I assume it was more proactive.
I'd still like an MFA option, especially with how infrequently I actually log in to twitter. However, I do like the "check your OAuth grants" page you're taken to after changing your password.
I sincerely hope Twitter would know better than to leave those vulnerabilities exposed on any Rails code they're still using. Also, that probably wouldn't count as a "sophisticated" attack in their book...
Attacks are always described as sophisticated in press releases. What do you expect them to say? We were asleep at the wheel and got owned by someone pointing Metasploit on our servers?
The way these things have been going (client-side vulnerability exploitation), I would suspect that the exploited vulnerabilities were closer to the laptops of Twitter employees than the Twitter application itself.
The blog post mentions turning off Java in your browser, which could be a clue to the attack vector Twitter suffered, and it's written by someone from "Information Security" rather than someone from Application Security.
Great point. I'm sure it's easier to compromise a developer or sysadmin and use that to jump onto the production system, rather than going straight at the main app.
Issue is that you don't know which of the tens of thousands of internal IP addresses would correspond to the one or two sysadmins who would have production access.
Which means either the production servers were hacked or there was a widespread compromise of their internal network and systems e.g. email, IM.
I'm sure more than 2 people at twitter have production access.
And identifying the senior staff isn't probably that hard, they probably have quite visible twitter accounts.
As someone mentioned in a completely different thread, it'd be enough to have a vulnerable rails running on localhost:3000 on your laptop and "accidentally" being hit with a CSRF, for example.
Get a shell on some staffers laptop and stay dormant, I'm sure you'll catch a live ssh session soon enough [with access to that ssh client's process memory] (in fact you'd get quite far just with a copy of the id_rsa + known_hosts files)
Yea you really only need the contents of ~/.ssh and you could access every server the laptop could.
Even if they didn't have production access, a lot of times servers are configured to easily hop from one to another. They could have connected to a development server and then just hopped to the DB server with the accounts it seems they were looking for.
It's useful, but if an attacker got a shell on the dev laptop, I assume he could just coredump the ssh-agent process and steal the unlocked key from there.
Downvoted your guess because you didn’t even cite the recent trend (which is mentioned in the article) of reported Chinese hackings, and you contribute nothing.
> usernames, email addresses, session tokens and encrypted/salted versions of passwords
Wow, finally a breach where the hackers DIDN'T make off with all of our passwords in plain-text. Kudos to Twitter for actually handling passwords properly, considering the eventuality that all websites are vulnerable to attack.
I would feel better if I new how they handled passwords. Hopefully it is a hash and not encrypted. And hopefully that hash method is bcrypt (or something similarly painful to crack).
> Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account.
I really don't like how they decided to release this on a friday afternoon. I know exactly why they did it, and why it is a smart PR move but it also means two things:
- People's accounts might have been compromised earlier "this week" and they could have used that extra warning time to make sure the damage didn't spread to their other online accounts.
- People who might have been compromised are now less likely to see the announcement, so if anything is compromised there's less chance they will react to mitigate damages.
Sadly you are exactly right. I wish companies would put both of these things first. Why so often does one have to come at the expense of the other?
Yes i know this is "naive" thinking, but i also think its the kind of thinking that can change a company for the better. Would it be easy? No. But in the end it its use the users that have to not think so critically of these "political pitfalls"(my words). Hacking happens, time and time again this stuff happens. If twitter(or another company) took measures to protector there users and didn't do something completely stupid like keeping plain text info, we should all just take what happened for what it is and move on. With these situations coming more and more common we are going to have to do this anyways.
Or it could have actually just been discovered today. It's too easy to sit from afar and assume the worst. Maybe sometimes things just happened this way.
Maybe the "bad" people involved in the attack figured if they got away with it less people would be looking on a weekend so they could get further.
Just saying... it's easy to assume "big" companies do what's best for them aways... but really they're just a bunch of people trying in most cases to do the right thing. So, before you click "fire" on that enter key... think about it.. there are people on the receiving end... probably a lot like you.
Today could be really bad if they discovered later that the attack had been going on longer tomorrow... never know which way the spin or reporting is taking the real story once it hits print...
There is another possibility, which is that they didn't work out what was going on until Thursday.
And anyone whose account has been compromised has received an email, a far more likely way of seeing the message than relying on everybody to occasionally check Twitter's blog for news.
The official Twitter release was titled "Keeping our users secure". My gut response after reading the first couple of paragraphs was, "Are you fucking kidding me?" That title, combined with the day/time of release really has the cynic in me riled up.
EDIT: It'd be great if anyone willing to downvote would explain why it's OK for Twitter to title a notice involving a breach of security resulting in the exposure of 250,000 records containing sensitive information, "Keeping our users secure". Because it really kind of pisses me off when I read it.
EDIT, EDIT: Highest karma volatility (up, down, up, up down, etc) of any comment I've ever posted on Hacker News. I really am genuinely interested in counter points.
HN meta: It would be interesting to see per-comment volatility as an indicator of moderation convergence. Anyone know if the HNSearch dataset is rich enough to do this?
1) There is no evidence that all of the records were compromised. So Twitter is keeping users secure by proactively resetting passwords.
2) People need to get over this Friday afternoon release. Twitter is a global company so it's not Friday everywhere and regardless it could purely be coincidental.
The Friday release thing doesn't aggravate me nearly as much as the title.
Security is tough. Really, really tough. I'm not here to crucify them for the breach, but the title glosses over the event in a way that is disingenuous at best. When you border on dishonesty with your title, people begin to question your motives.
The title isn't meant for anyone who's account was compromised. Mine was, I got an email. The subject was "Twitter has reset your account password". No beating around the bush there.
I'm not upset, it sounds like they detected it quickly and went out of their way to make sure everyone was not only notified but ensured that their account was safe. 250k users is a very small number of their accounts. A literal drop in the bucket. It sounds to me that they're going after the hackers and I appreciate that.
Settle down. "Keeping our users secure," just means "There was a problem, and here is what we have done to mitigate it." You have correctly observed that they chose, in their announcement, to downplay the breach and focus on what steps they've done to address it. What did you expect?
Let's all take a deep breath and remember: It's. Just. Twitter.
Though twitter seems trivial to a lot of people, Wikipedia has 4 different suggestions[1] when you search for 'twitter revolution'. So perhaps it's not so trivial and celebrity-focused as it seems to us non-users.
And if someone used Post-it Notes in a novel way to aid revolutionary efforts, we'd suddenly decide that they are a critical piece of infrastructure that needed to be super-secure, too, right?
It doesn't really matter to me who the message comes from. When did the truth cease to matter? I'm not naive. I recognize that this kind of thing happens all over the place, but that's exactly why I get so frustrated at this type of communication, and frankly, at your response. If your attitude becomes, "Oh well, it's just Twitter, so the dishonesty doesn't matter," then we can only expect more of the same. Everyone around Twitter will watch as they perpetrate falsehoods in communication, and they will follow suit.
It's not that "dishonesty doesn't matter" it's that you really shouldn't expect a company to go out of its way to call attention to its own screwup. They only want to bring this to the attention of people who need to know for security reasons, and they directly emailed all of those people. The sole purpose of the blog post was "oh, in case you heard about a security breach, you'll be happy to know that we've mitigated the problem. Aren't we doing great?" Even if you think the answer is "no," there is really nothing dishonest there.
I'm inclined to give them some benefit of the doubt. It seems like they could have found out on, say, tuesday, started investigating (post-intrusion analysis is very lengthy to do thoroughly) and the boss said "we need to release a statement by the end of the week, so find out what was taken and how users are affected."
They'll likely be doing forensics for months after this, so alerting the public a few days in to the investigation is actually pretty good.
What you should be concerned about is all of the companies who got owned in this campaign and will not be confessing. This is big, and a few more companies will admit it early, a few will sneak vague statements in their SEC disclosures, and a few will cover it up completely.
This is the text of the message I received (once for each account, all created back around the same time January 2007):
Hi, dewitt
Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account.
You'll need to create a new password for your Twitter account. You can select a new password at this link: ***
As always, you can also request a new password from our password-resend page: https://twitter.com/account/resend_password
Please don't reuse your old password and be sure to choose a strong password (such as one with a combination of letters, numbers, and symbols).
In general, be sure to:
Always check that your browser's address bar is on a https://twitter.com website before entering your password. Phishing sites often look just like Twitter, so check the URL before entering your login information!
Avoid using websites or services that promise to get you lots of followers. These sites have been known to send spam updates and damage user accounts.
Review your approved connections on your Applications page at https://twitter.com/settings/applications. If you see any applications that you don't recognize, click the Revoke Access button.
For more information, visit our help page for hacked or compromised accounts.
The Twitter Team
Best of luck to the security and support teams. Days like these are not fun at all.
And for people trying to puzzle out who was impacted, several these accounts (all with random strings for passwords, btw) were barely ever used at all, often not for several years. The only thing they had in common was their early creation date, and hence relatively low user ids. My guess is that the hackers simply scanned user ids starting from 1 and worked their way up.
That would explain the high incidence among hackers, who are more often early adopters. I've been surprised by how many people I've heard of getting the email, including people in this comment thread and myself, considering only 250,000 emails were sent out of their couple hundred million accounts.
I've been suspecting the same thing. Two of my accounts received the email, both created several years ago, while none of my newer accounts have been compromised.
Twitter employee, here. At one point in time, auto_increment_increment was > 1 on the MySQL master for uid generation. This led to many holes in the uid range.
I'm seeing a ton of people I know on twitter complain - I'm user 5511, and these are people who joined at the very beginning too - so your theory is indeed apparently correct. I got an email myself, and reset my already super complex password.
I don't know what # user I am (how can I get this information?) but my twitter account was also created in 2007 (on the 8th of April says whendidyoujointwitter.com) and is still active. Also received the email.
This is bullshit. I just got this message, and until I signed into HN I had no idea if Twitter was hacked or if there was a problem on my end. Which would be alarming, because all of my passwords are 30+ random characters, and I never reuse passwords across websites. Fuck you, Twitter.
Just a guess here, but maybe to get the emails out to users fast they re-used an existing template that was intended for resets due to 3rd party incidents.
random_char = '1' # chosen by fair dice, guaranteed random
return random_char * n
Just kidding. That stinks. I'm guessing your password was quite strong. Any idea how many bits of entropy it was?
It sounds like at this point Twitter sent out the email in parallel with trying to figure out how these compromises happen. Since they salt the hashed passwords, they don't know how complex your password was. Of course, you should still change your password. I changed my 80-bit Linkedin password after it was stolen.
My own solution is to have two different passwords for everything - one for banking and credit cards, another for crap like twitter/linkedin. I haven't changed my passwords for years (no point really, as you're likely to have the breaking as soon as they get your password).
I think there are risks with all solutions to the password problem.
The timing of this hack, and the fact that Twitter was (at least at one point) a Rails app, and still uses Ruby on the front end, makes me think this is likely a YAML vulnerability exploit. Can anyone confirm/rule this out?
Of course, that potentially means that 250,000 user accounts were also compromised on Facebook, Pinterest, Instagram, GMail, Yahoo Mail, Hotmail, et al. If you aren't using a different password for every service or are using only a derivative of a master password (eg. hunter2@twitter, hunter2@gmail, etc), CHANGE YOUR PASSWORD on all services using the same email address (or derivatives) as your Twitter account. Setup 1Password.
If only the salt and the hash were stolen as is being stated, and you used secure (read, non-dictionary-word-derived strings) you're probably okay even if you reused passwords.
But you shouldn't be reusing passwords anyway, of course, so go change them regardless.
Yeah, big deal; assume it's known. Change it; change any other service with something "identical." Of course, if you are smart enough to know the implications of both a strong password and salting and not using the same password, you can make your own decision, but if you are at that point, why not change it regardless?
And while you're at it, setup two-factor authentication on your Google account. It's a PITA, but much less of a pain than trying to get your account back.
You know, I've had this going on all four of my Gmail/Google accounts (!) for well over a year now, and I still think it's totally worth it. It's not really a pain, and I can sleep better because of it.
I'm a Nov 2006 account and I just got the email - since then I have reset my password to be particularly strong - but it seems it's forcing me to do it again (not that I mind, I use a very strong password stored in LastPass)
I was an engineer at Google when the Aurora attacks happened. Until we know more about the attackers and how it was pulled off, we don't know if this was amateur hour security, or if Twitter was facing an Advanced Persistent Threat with multiple 0days and custom malware.
Google used a combination of kerberos, SSH public key auth, client-side SSL certs, and a custom crypto system called Low Overhead Authentication System (LOAS), all of which utilize zero-knowledge proofs rather than sending passwords to the server. Google still got compromised, using a (0day?) Adobe Reader exploit sent via impersonating a co-worker on AIM or MSN Messenger (as I remember).
Let's leave the jury out on this one until we find out what happened.
I'm not aware of any such public documentation. Given the sorts of highly capable threats Google is up against, I imagine they want to do everything in their power to slow down attackers.
Also, they don't even allow the codenames of various parts of their infrastructure to be leaked, much less how the parts relate and how they're protected.
I'd really like to see LOAS open-sourced. I imagine that, like Kerberos, it's based on Needham-Schroeder, but I've never seen its source code or any design documentation.
I received this same mail earlier. Very glad that I have a policy of strong random passwords for each site. Not affiliated with them other than being a user, but I recommend Lastpass + Yubikey for two factor (you can Google Auth as well with Lastpass).
They need to make public the details. How was it done? They left that out of the announcement. You guys know better public disclose of hacking techniques prepares much less tech savvy (about everyone) that twitter website operators can prepare and protect themselves.
I'm guessing they got a non-anonymized mini dump of the database for local development. An engineer may have had a small subset of data on his local machine.
Wow, poor precious. Are you likewise insulted when the bank tells you not to keep a written note of your PIN with your card? As obvious as it is to you to ensure good password hygiene, it should be obvious that Twitter has a clear interest in encouraging less informed users doing the same.
Very concerning that while my session was terminated in my browser my iPhone and iPad apps are still authenticated. Shouldn't those sessions have been invalidated too?
Performing a "forced-reset" on waves of accounts is a pretty effective way of eliminating 'anonymous' accounts no longer linked to a valid email. I bet a decent number of users were permanently locked out of their accounts.
151 comments
[ 4.7 ms ] story [ 231 ms ] threadEdit: I wonder if the bad guys were able to access private Direct Messages, too. There's always talk about resetting passwords, but nobody ever mentions all the other confidential data that might be pastebin'ed later.
There are moderate numbers of people who use Twitter for online activism. That would point more to Syria or Iran or another Middle Eastern country, since Twitter is more popular there than in China or the Chinese language.
Pretty clearly this was the work of governments e.g. China, Iran who are trying to find out more about political dissidents or the sources of leaks. They are the only ones who would use lucrative exploits against Twitter, NYT, WSJ etc.
Pretty interesting if you ask me, is it likely the use would sick the best hackers at the NSA if top secret information was being leaked on the bizzaro world's Chinese Twitter? It almost sounds like the prologue to the worlds first CyberWar.
edit: The attacker got salted password hashes. That explains it.
I got a similar message several months back, but that wasn't part of a larger leak; apparently some website I'd used a while ago had been compromised and I was using my throwaway password on Twitter at the time. Suffice to say, it's using a real one now - fifty-some-odd characters of random garbage generated and stored by 1Password. It's never been used anywhere else, so getting this email a second time just now was quite a shock (this time, my reaction was "really guys, again?" rather than "wtf?")
To their credit, they caught the first instance crazy-fast (my password had been reset automatically within about five mintes of a rogue tweet, though not before a friend texted me about it). This time I didn't see any activity at all, so I assume it was more proactive.
I'd still like an MFA option, especially with how infrequently I actually log in to twitter. However, I do like the "check your OAuth grants" page you're taken to after changing your password.
The blog post mentions turning off Java in your browser, which could be a clue to the attack vector Twitter suffered, and it's written by someone from "Information Security" rather than someone from Application Security.
Which means either the production servers were hacked or there was a widespread compromise of their internal network and systems e.g. email, IM.
And identifying the senior staff isn't probably that hard, they probably have quite visible twitter accounts.
As someone mentioned in a completely different thread, it'd be enough to have a vulnerable rails running on localhost:3000 on your laptop and "accidentally" being hit with a CSRF, for example.
Get a shell on some staffers laptop and stay dormant, I'm sure you'll catch a live ssh session soon enough [with access to that ssh client's process memory] (in fact you'd get quite far just with a copy of the id_rsa + known_hosts files)
Even if they didn't have production access, a lot of times servers are configured to easily hop from one to another. They could have connected to a development server and then just hopped to the DB server with the accounts it seems they were looking for.
Wow, finally a breach where the hackers DIDN'T make off with all of our passwords in plain-text. Kudos to Twitter for actually handling passwords properly, considering the eventuality that all websites are vulnerable to attack.
I remember a time when many people assumed md5("notreallysalt"+password) was a good practice, and twitter is old.
From the email I just got from them:
> Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account.
- People's accounts might have been compromised earlier "this week" and they could have used that extra warning time to make sure the damage didn't spread to their other online accounts.
- People who might have been compromised are now less likely to see the announcement, so if anything is compromised there's less chance they will react to mitigate damages.
Great for PR, horrible for their users.
Yes i know this is "naive" thinking, but i also think its the kind of thinking that can change a company for the better. Would it be easy? No. But in the end it its use the users that have to not think so critically of these "political pitfalls"(my words). Hacking happens, time and time again this stuff happens. If twitter(or another company) took measures to protector there users and didn't do something completely stupid like keeping plain text info, we should all just take what happened for what it is and move on. With these situations coming more and more common we are going to have to do this anyways.
Maybe the "bad" people involved in the attack figured if they got away with it less people would be looking on a weekend so they could get further.
Just saying... it's easy to assume "big" companies do what's best for them aways... but really they're just a bunch of people trying in most cases to do the right thing. So, before you click "fire" on that enter key... think about it.. there are people on the receiving end... probably a lot like you.
And anyone whose account has been compromised has received an email, a far more likely way of seeing the message than relying on everybody to occasionally check Twitter's blog for news.
EDIT: It'd be great if anyone willing to downvote would explain why it's OK for Twitter to title a notice involving a breach of security resulting in the exposure of 250,000 records containing sensitive information, "Keeping our users secure". Because it really kind of pisses me off when I read it.
EDIT, EDIT: Highest karma volatility (up, down, up, up down, etc) of any comment I've ever posted on Hacker News. I really am genuinely interested in counter points.
1) There is no evidence that all of the records were compromised. So Twitter is keeping users secure by proactively resetting passwords.
2) People need to get over this Friday afternoon release. Twitter is a global company so it's not Friday everywhere and regardless it could purely be coincidental.
You're right. In some places it's the middle of the night, and in some places it's Saturday morning... prime time for a press release.
Security is tough. Really, really tough. I'm not here to crucify them for the breach, but the title glosses over the event in a way that is disingenuous at best. When you border on dishonesty with your title, people begin to question your motives.
I'm not upset, it sounds like they detected it quickly and went out of their way to make sure everyone was not only notified but ensured that their account was safe. 250k users is a very small number of their accounts. A literal drop in the bucket. It sounds to me that they're going after the hackers and I appreciate that.
Was your account compromised?
Let's all take a deep breath and remember: It's. Just. Twitter.
[1] http://en.wikipedia.org/wiki/Twitter_Revolution
It's just twitter.
They'll likely be doing forensics for months after this, so alerting the public a few days in to the investigation is actually pretty good.
What you should be concerned about is all of the companies who got owned in this campaign and will not be confessing. This is big, and a few more companies will admit it early, a few will sneak vague statements in their SEC disclosures, and a few will cover it up completely.
With incident response for an active service. Priority one is segregation and mitigation, priority zed is writing a blog post about it.
I just got a second 'Twitter Password Reset' email with more explanatory information now, almost two and a half hours after the first.
It sounds like at this point Twitter sent out the email in parallel with trying to figure out how these compromises happen. Since they salt the hashed passwords, they don't know how complex your password was. Of course, you should still change your password. I changed my 80-bit Linkedin password after it was stolen.
I think there are risks with all solutions to the password problem.
Creation date: March 2007
User ID: 2,7xx,xxx
But you shouldn't be reusing passwords anyway, of course, so go change them regardless.
Of note, the apps I have allowed access to my account are:
tweetdeck, twitter for android/OSX and instagram.
(if that helps any diagnosis of potential attack vectors)
Not that I disagree with you but it's not exactly as if Twitter was a role-model of security on this one...
Google used a combination of kerberos, SSH public key auth, client-side SSL certs, and a custom crypto system called Low Overhead Authentication System (LOAS), all of which utilize zero-knowledge proofs rather than sending passwords to the server. Google still got compromised, using a (0day?) Adobe Reader exploit sent via impersonating a co-worker on AIM or MSN Messenger (as I remember).
Let's leave the jury out on this one until we find out what happened.
Also, they don't even allow the codenames of various parts of their infrastructure to be leaked, much less how the parts relate and how they're protected.
I'd really like to see LOAS open-sourced. I imagine that, like Kerberos, it's based on Needham-Schroeder, but I've never seen its source code or any design documentation.
http://news.ycombinator.com/item?id=5149023
Please consider signing.. https://www.change.org/petitions/twitter-com-release-the-det...
Wow, that's so insulting. How about you just do your job instead?
The email said that the password had been reset (as in dewitt's post) but I'd just logged in - after the claimed reset - with the old credentials.
That's kinda worrying.